UAC for individual .EXEs


B

BeeJ

How do I set the UAC to off for individual .EXE.
e.g. Opera, and others I know are OK to open.
 
Ad

Advertisements

V

VanguardLH

Bob said:
You bypass it by using the Task Scheduler to fire off the exe.
What's missing from Bob's response is that you define a scheduled task
(but not a time to run it or disable the event) and then use/copy a
shortcut for the schtask.exe shortcut.

For an example, see:
http://social.technet.microsoft.com...y/thread/6cfaab82-da82-4ff9-aa61-416f6134c34d

Since the schtask.exe program will elevate the program it loads;
however, changing priority (from the default of Below-Normal) is
mentioned here by editing the XML file (export, edit, import). Remember
to NOT define the task to "Run as Administrator" but instead to "Run
with highest privilegies".

Obviously the elevation accomplished by using schtask.exe only works
when you use that shortcut to load the app. If the program is called as
a child process, like you clicking on a hypertext link in a message
viewed in your e-mail client then the shortcut is not used so there
won't be any elevation of the web browser.

I don't think you can edit the registry to add an "auto-elevate"
privilege mode to a hash or path rule in a software restriction policy
(SRP). Unrestricted (run), Disallowed (block), and Basic (run as normal
user) are it. If there were a privilege mode for auto-elevate then you
could define a path policy for the executable so it always got
auto-elevated even if ran as a child process (i.e., when the executable
was called and loaded by a parent process).

Alternatively, I've seen mention of using the Application Compatibility
Toolkit (ACT) to get a program elevated but, I think, that also requires
a certificate to digitally sign the application (i.e., you install a
signed app) along with a manifest defined inside the app that specifies
its privilege level. Opera already digitally signs their installer but
that doesn't mean the app's executable is signed. Right-clicking on
opera.exe shows the file is digitally signed. There are lots of
articles on how to use the ACT to modify the RunAsInvoker attribute for
an app. No point in me pointing at or duplicating all that info.

Enjoy.
 
B

BeeJ

It happens that VanguardLH formulated :
What's missing from Bob's response is that you define a scheduled task
(but not a time to run it or disable the event) and then use/copy a
shortcut for the schtask.exe shortcut.

For an example, see:
http://social.technet.microsoft.com...y/thread/6cfaab82-da82-4ff9-aa61-416f6134c34d

Since the schtask.exe program will elevate the program it loads;
however, changing priority (from the default of Below-Normal) is
mentioned here by editing the XML file (export, edit, import). Remember
to NOT define the task to "Run as Administrator" but instead to "Run
with highest privilegies".

Obviously the elevation accomplished by using schtask.exe only works
when you use that shortcut to load the app. If the program is called as
a child process, like you clicking on a hypertext link in a message
viewed in your e-mail client then the shortcut is not used so there
won't be any elevation of the web browser.

I don't think you can edit the registry to add an "auto-elevate"
privilege mode to a hash or path rule in a software restriction policy
(SRP). Unrestricted (run), Disallowed (block), and Basic (run as normal
user) are it. If there were a privilege mode for auto-elevate then you
could define a path policy for the executable so it always got
auto-elevated even if ran as a child process (i.e., when the executable
was called and loaded by a parent process).

Alternatively, I've seen mention of using the Application Compatibility
Toolkit (ACT) to get a program elevated but, I think, that also requires
a certificate to digitally sign the application (i.e., you install a
signed app) along with a manifest defined inside the app that specifies
its privilege level. Opera already digitally signs their installer but
that doesn't mean the app's executable is signed. Right-clicking on
opera.exe shows the file is digitally signed. There are lots of
articles on how to use the ACT to modify the RunAsInvoker attribute for
an app. No point in me pointing at or duplicating all that info.

Enjoy.
So how does IE run elevated when a link is clicked? Must be a way to
get Opera or FireFox to do the same. Registry or?
You probably helped explain this, I just need to study the terminology.
Thanks for the insights.

I have a similar problem, but worse, with scripts. They will not run
at all. I am about to turn off UAC and try the scripts.

I ran Vista for years with UAC off and had zero problems. Seems UAC is
of little help. Any stats on what UAC catches. MS must have some data
someplace.

I run Avast and it does catch bad suff on rare occassions. Maybe that
is good enough.
 
N

Nil

How do I set the UAC to off for individual .EXE.
e.g. Opera, and others I know are OK to open.
I'm surprised you would find that necessary. I would think any recent
popular, well-written program would install itself in a manner that
would cooperate with UAC. I haven't had to jump through any such hoops
with either Vista or Windows 7, with the exception of Everything
Search, which needs the Task Scheduler trick described elsewhere in
this thread to avoid triggering UAC to request permission to run.
 
V

VanguardLH

BeeJ said:
It happens that VanguardLH formulated :

So how does IE run elevated when a link is clicked? Must be a way to
get Opera or FireFox to do the same. Registry or?
You probably helped explain this, I just need to study the terminology.
Thanks for the insights.
I haven't done any of this by using the ACT to set elevated privileges
for an app. You create an sdb database file that lists the compat
config for an app and apparently Windows will read that database to
decide which apps get auto-elevated.

http://www.ghacks.net/2010/07/08/ge...microsofts-application-compatibility-toolkit/
http://www.msigeek.com/4823/creating-a-shimfix-using-compatibility-administrator
http://www.msigeek.com/4817/virtualregistry-shim-with-addredirect-registry-re-direction-to-fix-apps

Actually it looks like you create an sdb (shim database) file and then
use the sdbinst command to read from it and store that config info. So
it's probably stored in the registry, I don't know where, and it could
be encoded which means doing a text search won't find where that info
gets stored.

If you need to know where the sdb database info gets stored in the
registry, use an install monitor, like Zsoft Uninstaller. Take a
snapshot before registering the sdb database, register the sdb database
using the sdbinst program, and then have the install monitor check for
changes on your host which will list the registry changes (add, deletes,
and modifies). Or use a process monitor, like the one from SysInternals
(I have the old procmon utility since I don't like how they merged
procmon and memmon into their new utility), then run sdbinst and check
what registry entries it defines or touches. They might just add a GUID
definition (http://en.wikipedia.org/wiki/Globally_unique_identifier) in
the registry which defines attributes for a program of which privilege
level might be one.

http://technet.microsoft.com/en-us/library/cc749169(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx

"An application shim is a compatibility layer that fools a legacy
application in to believing it's running in an older operating system"
(http://www.zdnet.com/blog/ou/the-real-story-on-vista-application-compatibility/325).
Or for whatever other attributes were defined in the shim.

I haven't bothered getting into all of this so you're asking the wrong
person if you want detailed help on how to use ACT and where the app
shims get defined or stored. It's up to you if you want to get into all
of this. Of course, you could suggest to Opera that they include an
..sdb file to provide an application shim so their users can circumvent
the UAC prompts.
 
Ad

Advertisements

S

Stan Brown

I'm surprised you would find that necessary. I would think any recent
popular, well-written program would install itself in a manner that
would cooperate with UAC. I haven't had to jump through any such hoops
with either Vista or Windows 7, with the exception of Everything
Search, which needs the Task Scheduler trick described elsewhere in
this thread to avoid triggering UAC to request permission to run.
Maybe the OP initially had UAC turned off when installing those
things, and then turned them on. I know some of the software I use
at work required manually elevating privilege under those
circumstances, though if I had UAC on when installing, the installer
requested elevated privilege (as it should) and then the actual
applications did not.
 
Ad

Advertisements

B

BeeJ

Stan Brown was thinking very hard :
Maybe the OP initially had UAC turned off when installing those
things, and then turned them on. I know some of the software I use
at work required manually elevating privilege under those
circumstances, though if I had UAC on when installing, the installer
requested elevated privilege (as it should) and then the actual
applications did not.
In my case, the UAC has always been set the same.
I guess I can uninstall Opera and re-install agaim.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top